In the course of giving my security presentations over the past year, I've learned that quite a few folks have never seen the C-I-A triad before. The C-I-A triad stands for:

Confidentiality

Integrity

Availability

It's often illustrated using a triangle like so:

The C-I-A triad forms the basis of how to start thinking about information/data security. The three words mean the following when applied to security:

Confidentiality - Only people authorized to read the data can do so. Usually, the following is included: and they do so only through authorized means or methods.

Integrity - Only people authorized to change the data can do so. Again, the following is usually included: and they do so only through authorized means or methods.

Availability - The data is available to authorized people when they need it.

In security we often focus on the first two items and forget about the last, availability. To do this, however, is a mistake. Typically I find business users and development staff focused on the last, availability, and not so worried about the first two. again, this is a mistake. Good information security balances all three to ensure a reasonably secure system. What do I mean by reasonably secure? It depends on the data. If we're talking about who brought what to the bake sale, there's probably not a lot of security required there. But then again, if we're talking about intellectual property, such as something for which a patent, copyright, or registered trademark hasn't been filed on yet, we may want very good measures in place with respect to confidentiality and integrity.

With all that said, when looking at the initial architecture for a system or application, a good starting point from a security perspective is the C-I-A triad. It's high level enough to start asking the right questions to bake security into the system. And if security is baked in from the beginning, it's a lot cheaper than trying to retrofit a system later to fix security holes. Therefore, when talking with folks about initial development, I make sure they understand the C-I-A triad.

Comments

Posted by Steve Jones on 20 April 2009

Good points, though I argue that often the "A" overwhelms the others. People want availability, often quickly, and as a result, they'll compromise other things.

Posted by bob.willsie on 27 April 2009

In many instances the balance isn't correct. I've worked in organizations that were so concerned with "integrity" that they restricted "availabilty" to data severely.

Even to the point of telling users they could not have read only access via ODBC "because you might change something."

Unfortunately the users bought it because they didn't know better.

I've also seen extreme's in the confidentiality arena. In one organization they thought nothing of giving everyone access to other's social security numbers, but absolutley freaked when a bill of material accidently ended up "in the wrong hands."

I think balance is the key.

Posted by Beat BUCHER on 28 April 2009

Very good points... I come from a small manufacturing company, where they didn't even know how in-secure the data was... by default the ERP system was wide open (which is a design flaw form the software provider in my opinion), letting everyon with a little 'ODBC' knowledge to access the whole data warehouse... It took many years until I could figure them the security holes and try to fix them, but once a system is installed, it's difficult to change (not the system, but the people's behavior :-) ).

Have a nice day.

Posted by Anonymous on 3 June 2009

The current economic climate is pushing many to look for current-year budget savings. This is one of